Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Docker has a concept of layered images where only the top-layer is writable. The layer above the "scratch"[1] image usually contain all the files of the base images OS and that's what you set your root directory to. The writable layer disappears when the container is stopped. If you mount your DIY container into /tmp for example, the process running inside your container won't be able to access any OS functionality. You couldn't run a web server in such a container for instance. On the other hand, whatever your containerized process writes into the mounted part of your hard disk won't disappear when the container stops. Because of that, I wouldn't run untrusted code in it.

[1] https://hub.docker.com/_/scratch



this is the file system not docker itself. you can get the overlay behavior without any docker


Can you point me to some online resources? I'd like to learn more about this.


https://lwn.net/Articles/324291/

https://lwn.net/Articles/325369/

https://lwn.net/Articles/327738/


nice. thank you


start with: https://windsock.io/the-overlay-filesystem/

after that read more about overlay, overlay fs, for historical reasons aufs.


I'm not sure if this is what the parent is referring to but there are overlayfs and unionfs in Ubuntu for example.


I see, thanks. It's just a matter of preparing the directory before and cleaning it up afterward though, right? Not a security hole exactly?


Correct.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: